Description
Problem Description:
IP-based Knox policies doesn't work when Knox is behind a Load Balancer. Because currently Ranger Knox plugin doesn't accept & pass on the "X-Forwarded-for" header to Ranger policy engine.
Impact:
In an environment where Knox is running behind a Load Balancer and Knox has a Ranger policy to allow/deny access to Hadoop services based on client IP addresses, this won't work as expected due to this bug.
Expected Behavior:
1. Knox plugin should process "X-Forwarded-for" header received from Load Balancer and pass it on to policy engine in the form of 'RangerAccessRequestImpl.forwardedAdresses'.
Steps to reproduce:
1. Install & configure Knox behind a Load Balancer
2. Enable Ranger Knox plugin
3. Also Set "ranger.plugin.knox.use.x-forwarded-for.ipaddress=true" and "ranger.plugin.knox.trusted.proxy.ipaddresses=<comma-seperated-ip-of-load-balancers>"
4. Define a Knox policy to allow access to user from designated client IP(s)
5. Try to access any WebHDFS (for example) resource via Knox via Load Balancer for designated client host.
Workaround:
None
Attachments
Attachments
Issue Links
- is related to
-
RANGER-962 Ranger plugin should have an option to use X-Forwarded-For address
-
- Resolved
-